Здравствуйте!
Comrades, I have received many queries asking how to prevent Active Directory Privilege Escalation based attacks in your environments, especially those based on exploiting unauthorized password reset delegations in Active Directory.
How to Prevent an Active Directory Privilege Escalation based Attack
Ideally, the best way to prevent Active Directory Privilege Escalation based attacks in your environments is to make sure that there are no privilege escalation paths anywhere in your Active Directory. I say this is the best way because if there are no privilege escalation paths anywhere, then there is nothing to exploit, so there is no way to escalate privilege.
However, there is no easy way to detect privilege escalation paths in Active Directory today. By that I mean there is no way to check who all have been delegated ability to do password resets on domain user accounts in Active Directory.
I think the best that we can do today is analyze Active Directory security permissions on all domain user accounts to find out who has what effective permissions on these accounts. You're basically looking to find out who all has effective "Reset Password" extended rights on all the user accounts.
Once you can find out who all has effective "Reset Password" extended rights on all the user accounts, you should have a good idea of who can reset whose password to escalate their privilege in Active Directory.
One note of caution: please make sure you determine "effective permissions", not "who has what permissions", because you're trying to determine who effectively has reset-password rights, and "who has what permissions" will just show you the list of rights, not who can effectively perform password resets.
To perform Active Directory permissions analysis, you do have a choice of a couple of tools including dsacls, acldiag, aducadmin and liza being the most common ones I found.
However, none of these tools can find out effective permissions, so you'll still have to do that on your own. But these tools can certainly help analyze permissions and get you about 10% of the way.
The key is not get disappointed in the face of the jungle of permissions that can be overwhelming even for pros, but to keep looking and focusing on the Reset Password rights. Once you've gotten past figuring out which allows beat denies, and which explicits are not over-shadowed by inherited permissions, and which permissions actually apply on the object., you should be on your way to figuring out who has what effective password reset rights. Also be sure to keep in mind that any Full Control permissions and any All Extended Rights permissions will also contribute to the outcome in most cases. A good group enumeration utility can also help because you'll end up doing a lot of group expansions as you perform this password reset analysis.
Best Active Directory Auditing Tools to Counter Active Directory Privilege Escalation Security Risks
Since the above counter-measure is very difficult to do, the other method is to rely on Active Directory auditing, which can also help us find out who can reset whose passwords but only when someone does reset someones password. So for example, if Dmitri was to reset Ilena's password, it would show up in the audit logs.
The only problem with this approach is that it relies on a person actually attempting to perform a password reset, and so the likelihood of someone performing a password reset of another account is low. As a result, one may be able to uncover only about 5% - 10% of the total number of people who can reset someones password, but its better than no insight.
With that in mind, if you're looking for an auditing solution, I think the main choices are the following ones -
Each of these solutions can be used to find out who changed what in Active Directory, so they can also be used to find out who reset whose passwords, assuming of course you had Directory Services events auditing turned on and you had set Reset Password Audit Success and Audit Failure on all user accounts.
Amongst these 5 solutions, I would tend to recommend Quest ChangeAuditor, as I believe a majority of its coding/support is done on Russia, at Quest Software's Russia operations, and as you know, we Russians are one of the best when it comes to security, hacking, programming and coding.
I believe Quest's ChangeAuditor is also used at major US government installations, so if American government is using it, you certainly can. Solid russian code running on your DCs is hard to beat.
The other ones I don't know so well. I believe Netwrix Change Reporter and Manage Engine's ADAuditPlus are built in India. I'm not sure how reliable they are in terms of quality, particularly coding, but they certainly make for decent cheaper alternatives if you are on a budget. Blackbird Auditor seems to be built in Canada, so they might be a bit more reliable. It all depends on your budget and needs.
I have focused on where these solutions are built more than their features because they all basically do the same thing which is to collect events from audit logs on all DCs in a domain and show them to you in a single unified interface. So, if they're doing the same thing, they're all very similar. The only difference then is in their quality, and where a product is built and by whom is a good indicator of quality.
In that regard, Quest ChangeAuditor, made in/supported from Mother Russia may be the best.
Whatever solution you choose to go with, you can use them to audit password resets and based on that data, you can start to find and remove any privilege escalation paths in your Active Directory.
Even if auditing helps you find only 5-10% of the paths, it is better than finding 0 paths. When you consider that a hacker might need only 1 path, even a 10% reduction is a decent amount of reduction in risk.
Of course, the harder longer of trying to find out who can reset passwords can help you identify over 90% of the paths, but very few people have the patience or the time to deal with the jungle of Active Directory permissions.
Спасибо
Comrades, I have received many queries asking how to prevent Active Directory Privilege Escalation based attacks in your environments, especially those based on exploiting unauthorized password reset delegations in Active Directory.
How to Prevent an Active Directory Privilege Escalation based Attack
Ideally, the best way to prevent Active Directory Privilege Escalation based attacks in your environments is to make sure that there are no privilege escalation paths anywhere in your Active Directory. I say this is the best way because if there are no privilege escalation paths anywhere, then there is nothing to exploit, so there is no way to escalate privilege.
 |
| Active Directory Password Resets |
However, there is no easy way to detect privilege escalation paths in Active Directory today. By that I mean there is no way to check who all have been delegated ability to do password resets on domain user accounts in Active Directory.
I think the best that we can do today is analyze Active Directory security permissions on all domain user accounts to find out who has what effective permissions on these accounts. You're basically looking to find out who all has effective "Reset Password" extended rights on all the user accounts.
Once you can find out who all has effective "Reset Password" extended rights on all the user accounts, you should have a good idea of who can reset whose password to escalate their privilege in Active Directory.
One note of caution: please make sure you determine "effective permissions", not "who has what permissions", because you're trying to determine who effectively has reset-password rights, and "who has what permissions" will just show you the list of rights, not who can effectively perform password resets.
To perform Active Directory permissions analysis, you do have a choice of a couple of tools including dsacls, acldiag, aducadmin and liza being the most common ones I found.
 |
LIZA.exe - A Good Active Directory Permissions Tool - Hacker's Choice |
The key is not get disappointed in the face of the jungle of permissions that can be overwhelming even for pros, but to keep looking and focusing on the Reset Password rights. Once you've gotten past figuring out which allows beat denies, and which explicits are not over-shadowed by inherited permissions, and which permissions actually apply on the object., you should be on your way to figuring out who has what effective password reset rights. Also be sure to keep in mind that any Full Control permissions and any All Extended Rights permissions will also contribute to the outcome in most cases. A good group enumeration utility can also help because you'll end up doing a lot of group expansions as you perform this password reset analysis.
Best Active Directory Auditing Tools to Counter Active Directory Privilege Escalation Security Risks
Since the above counter-measure is very difficult to do, the other method is to rely on Active Directory auditing, which can also help us find out who can reset whose passwords but only when someone does reset someones password. So for example, if Dmitri was to reset Ilena's password, it would show up in the audit logs.
The only problem with this approach is that it relies on a person actually attempting to perform a password reset, and so the likelihood of someone performing a password reset of another account is low. As a result, one may be able to uncover only about 5% - 10% of the total number of people who can reset someones password, but its better than no insight.
 |
| Active Directory Auditing Tool |
With that in mind, if you're looking for an auditing solution, I think the main choices are the following ones -
- Blackbird Auditor for Active Directory
- Visual Click Software CPTRAX for Windows
- ManageEngine ADAudit Plus
- Netwrix Change Reporter
- Quest ChangeAuditor
Amongst these 5 solutions, I would tend to recommend Quest ChangeAuditor, as I believe a majority of its coding/support is done on Russia, at Quest Software's Russia operations, and as you know, we Russians are one of the best when it comes to security, hacking, programming and coding.
I believe Quest's ChangeAuditor is also used at major US government installations, so if American government is using it, you certainly can. Solid russian code running on your DCs is hard to beat.
The other ones I don't know so well. I believe Netwrix Change Reporter and Manage Engine's ADAuditPlus are built in India. I'm not sure how reliable they are in terms of quality, particularly coding, but they certainly make for decent cheaper alternatives if you are on a budget. Blackbird Auditor seems to be built in Canada, so they might be a bit more reliable. It all depends on your budget and needs.
I have focused on where these solutions are built more than their features because they all basically do the same thing which is to collect events from audit logs on all DCs in a domain and show them to you in a single unified interface. So, if they're doing the same thing, they're all very similar. The only difference then is in their quality, and where a product is built and by whom is a good indicator of quality.
In that regard, Quest ChangeAuditor, made in/supported from Mother Russia may be the best.
 |
Whatever solution you choose to go with, you can use them to audit password resets and based on that data, you can start to find and remove any privilege escalation paths in your Active Directory.
Even if auditing helps you find only 5-10% of the paths, it is better than finding 0 paths. When you consider that a hacker might need only 1 path, even a 10% reduction is a decent amount of reduction in risk.
Of course, the harder longer of trying to find out who can reset passwords can help you identify over 90% of the paths, but very few people have the patience or the time to deal with the jungle of Active Directory permissions.
Спасибо
